[CentOS] mounting nfs as httpd_sys_content_t under selinux

Johnny Tan

linuxweb at gmail.com
Fri Dec 7 23:14:49 UTC 2007


I have a NFS mount that I want apache to be able to serve 
files from.

According to this doc:
http://www.centos.org/docs/5/html/5.1/Deployment_Guide/rhlcommon-section-0097.html

I should be able to mount it with a context that will allow 
apache to access it.

But when I try the command they suggest:

[root at vm-37:~] mount -t nfs -o \
context=system_u:object_r:httpd_sys_content_t \
192.168.1.100:/data/test /mnt/test

It mounts, but when I do:
[root at vm-37:~]# ls -lZ /mnt
drwxr-xr-x  65534 65534 system_u:object_r:nfs_t   test

It doesn't show the correct context.

(I don't know if it matters that I don't have a user with 
UID 65534, only the remote NFS server has that.)


And sure enough, apache still can't serve from it. I see 
this in /var/log/messages:
Dec  7 17:30:14 vm-37 kernel: audit(1197066614.787:240): 
avc:  denied  { search } for  pid=18066 comm="httpd" name=
"" dev=0:14 ino=4301717509 scontext=root:system_r:httpd_t:s0 
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
Dec  7 17:30:14 vm-37 kernel: audit(1197066614.787:241): 
avc:  denied  { getattr } for  pid=18066 comm="httpd" name
="" dev=0:14 ino=4301717509 
scontext=root:system_r:httpd_t:s0 
tcontext=system_u:object_r:nfs_t:s0 tclass=dir

When I "setenforce 0", it works. But I want SELinux.


Granted, I could do:
allow httpd_t nfs_t:dir { search getattr };

Well, actually, I haven't tried it but I'm guessing that 
that will work. The problem is that I have other nfs 
directories that I don't want httpd to access, even 
accidentally if we ever point httpd at those directories.

So... any ideas on the nfs mount with the context option?


I'm running CentOS-5.1 with latest updates of everything.

johnn



More information about the CentOS mailing list